From a43420ba07645acb71f31e95b9c7b4e894794afd Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sun, 6 Dec 2020 22:50:49 -0500 Subject: [PATCH] [mod_wolfssl] add complex preproc logic for SNI add complex preproc logic for SNI detection - HAVE_SNI is not sufficient - HAVE_LIGHTY is not sufficient (in wolfssl <= 4.5.0) Instead, use more complex logic wrapping calls to SNI_Callback() in wolfssl. x-ref: "[lighttpd] -mod-wolfssl inhibited by missing library functionality" https://github.com/openwrt/packages/issues/14142 "put all SNI code behind simpler preprocessor directive HAVE_SNI" https://github.com/wolfSSL/wolfssl/pull/3538 Signed-off-by: Glenn Strauss --- src/mod_wolfssl.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c index a22b0ebe..70f7488b 100644 --- a/src/mod_wolfssl.c +++ b/src/mod_wolfssl.c @@ -2041,13 +2041,22 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p) * && (HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_LIGHTY))) * and sniRecvCb sniRecvCbArg are hidden by *different* set of defines * in wolfssl/internal.h) - * Note: SNI callbacks disabled if wolfSSL is not built OPENSSL_ALL ! */ - #ifdef OPENSSL_ALL /* regretable */ + * Note: wolfSSL SNI callbacks members not present unless wolfSSL is + * built OPENSSL_ALL or some additional combination of preprocessor + * defines. The following should work with more recent wolfSSL versions + * (and HAVE_LIGHTY is not sufficient in wolfssl <= 4.5.0) */ + #if defined(OPENSSL_ALL) \ + || (defined(OPENSSL_EXTRA) \ + && (defined(HAVE_STUNNEL) \ + || defined(WOLFSSL_NGINX) \ + || defined(WOLFSSL_HAPROXY))) + #else + #undef HAVE_SNI + #endif #ifdef HAVE_SNI wolfSSL_CTX_set_servername_callback( s->ssl_ctx, network_ssl_servername_callback); wolfSSL_CTX_set_servername_arg(s->ssl_ctx, srv); - #endif /* regretable */ #else log_error(srv->errh, __FILE__, __LINE__, "SSL: WARNING: SNI callbacks *crippled* in wolfSSL library build"); -- 2.28.0